I currently use ActiveDirectory for authentication on my Ubuntu 10.04 servers using a tool called Centrify Express. Centrify has a custom .so file that is configured in /etc/pam.d/common-auth.

I'd like to do normal LDAP authentication (bypassing centrify) for just SFTP users (not SSH logins). How would I configure /etc/pam.d/sshd to try LDAP authentication for SFTP logins, but not SSH logins? The idea is that my SFTP OU would allow users to download, and upload files, but they wouldn't be able to get a shell.

What is it about Centrify that makes plain LDAP a more suitable alternative for sftp users?
–
larsksMay 24 '12 at 18:38

Centrify Express (the free version) doesn't allow us to control the UID, and GID of users/groups. When a user connects, they are given a random UID near the top of the range. This makes managing permissions across servers difficult.
–
GregBMay 24 '12 at 19:11

2 Answers
2

If I understand your question correctly, you are looking to provide onlysftp service (that is, no interactive logins via ssh).

You can force connections to use the sftp service by adding this to your sshd_config file:

ForceCommand internal-sftp

This is documented in the sshd_config man page:

ForceCommand
Forces the execution of the command specified by ForceCommand, ignoring any
command supplied by the client and ~/.ssh/rc if present. The command is
invoked by using the user’s login shell with the -c option. This applies to
shell, command, or subsys- tem execution. It is most useful inside a Match
block. The command originally supplied by the client is available in the
SSH_ORIGINAL_COMMAND environment variable. Specifying a command of
“internal-sftp” will force the use of an in-process sftp server that requires
no support files when used with ChrootDirectory.

You can modify /etc/pam.d/sshd to configure sshd to use the normal pam_ldap module rather than the pam module provided by Centrify.

With these configuration changes in place, sftp connections will use normal LDAP authentication, and interactive shells will not be available.